Contemporary mobile devices typically use two processing units. A first of the processing units can be used for communication (e.g., transmission/receiving, encoding/decoding, protocol support, etc.) while a second of the processing units can be used for user interface or application support (e.g., screen, keyboard, interfaces, Operating System, applications). Because there are two processing units a hacker could attempt to compromise either one.
Rootkits are a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection. Rootkits typically enable continued privileged access to the compromised system. Rootkit installation may be either automated or activated when an attacker obtains root or Administrator access. Obtaining this access is either a result of direct attack on a system (i.e., exploiting a known vulnerability) or by getting access to a password (either by cracking, privilege escalation, or social engineering). Once installed it is typically a goal of a rootkit to hide the intrusion as well as to maintain privileged access for itself (or other processes). Like any software, rootkits can have a good purpose or a malicious purpose. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent an attack.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.
Modern rootkits do not necessarily elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased.
Rootkits can run at different privilege levels (e.g., modes) of a computer environment. User-mode rootkits run at the same mode as most other user applications, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically-linked library (such as a .DLL file, .dylib file, a .so file, or a .shlib file) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.
Kernel-mode rootkits run with the highest operating system privileges by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules or device drivers. This class of rootkit has unrestricted security access. Kernel rootkits can be especially difficult to detect and remove because they operate at the same security level as the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations and thereby “hide” themselves in a stealth-like manner.
Because rootkits and other viruses (which include all types of malicious code: Trojan horses, exploits, shellcodes, keyloggers, backdoors, spyware, botnets, adware, information stealers, etc.) operate in the above described stealth-like manners (among others) they are difficult to detect and/or clean from within the scope of the infected operating environment. This disclosure addresses these and other issues to provide methods and systems to detect active rootkits and other viruses (i.e., malicious code) that attempt to conceal themselves from detection on the infected processing unit.